[ISN] Book Review: "Web Security and Commerce", Simson Garfinkel/Gene Spaff

From: mea culpa (jerichot_private)
Date: Thu Jul 23 1998 - 23:37:39 PDT

  • Next message: mea culpa: "[ISN] Book Review: "PCWeek Microsoft Windows NT Security", Lambert/Patel"

    From: "Rob Slade" <rsladet_private>
    
    BKWBSCCM.RVW   980411
    
    "Web Security and Commerce", Simson Garfinkel/Gene Spafford, 1997,
    1-56592-269-7, U$32.95/C$46.95
    %A   Simson Garfinkel simsongt_private
    %A   Gene Spafford spaft_private
    %C   103 Morris Street, Suite A, Sebastopol, CA   95472
    %D   1997
    %G   1-56592-269-7
    %I   O'Reilly & Associates, Inc.
    %O   U$32.95/C$46.95 800-998-9938 707-829-0515 nutst_private
    %P   483 p.
    %T   "Web Security and Commerce"
    
    Anyone who does not know the names Spafford and Garfinkel simply does
    not know the field of data security.  The authors, therefore, are well
    aware that data security becomes more complex with each passing week.
    They note, in the Preface, that the book cannot hope to cover all
    aspects of Web security, and therefore they concentrate on those
    topics that are absolutely central to the concept, and/or not widely
    available elsewhere.  Works on related issues are suggested both at
    the beginning and end of the book.
    
    Chapter one, which is also part one, introduces the topic, and the
    various factors involved in Web security.  The topic is examined from
    the perspective of the user and vendor, and also looks at
    vulnerabilities at the server site, client computer, and the network
    in between.
    
    Part two concerns the user.  Chapter two looks at the various possible
    problems with browsers, not all of which are related to Web page
    programming.  Java security is only marginally understood by many
    "experts," and not at all by users, so the coverage in chapter three
    is careful to point out the difference between safety, security, and
    the kind of security risks that can occur even if the sandbox *is*
    secure.  ActiveX and the limitations of authentication certificates
    are thoroughly explored in chapter four.  Chapter five looks briefly
    but analytically at the possible invasions of privacy that can occur
    on the Web.
    
    Part three deals more completely with the question of digital
    certificates.  Chapter six explains the various techniques for
    identification confirmation.  The use of certification authorities is
    reviewed in chapter seven, including the activity this can generate on
    Web browsers.  Chapter eight covers the steps needed to obtain a
    client-side digital certificate from Verisign.  Microsoft's
    Authenticode code signing system is detailed in chapter nine.
    
    Cryptography must be invoked at some point for any kind of data
    security, and particularly for security over insecure networks, so
    part four invests some depth in the topic.  Chapter ten starts with
    cryptographic basics, simply in terms of the various functions
    cryptography can provide.  Functional limitations of cryptography,
    various existing systems, and US and international regulation with
    respect to the technology are discussed in chapter eleven.  SSL
    (Secure Sockets Layer) and TLS (Transport Layer Security) are
    described in chapter twelve.
    
    Part five details technical aspects of securing Web servers.
    Traditional host security weaknesses are reviewed in chapter thirteen.
    Chapter fourteen looks at specific strengthening measures for Web
    servers.  Rules for secure CGI (Common Gateway Interface) and API
    (Application Programmer Interface) programming are promulgated in
    chapter fifteen, along with tips for various languages.
    
    Commercial and societal concerns are major areas in Web security, so
    part six reviews a number of topics related to commerce, as well as
    other social factors.  Chapter sixteen looks at current non-cash
    payment systems, and the various existing, and proposed, digital
    payment systems for online commerce.  Censorship and site blocking are
    carefully examined in chapter seventeen.  A variety of legal issues
    are discussed, civil in chapter eighteen, and criminal in nineteen.
    
    In reviewing books I very often find that appendices are often filler.
    The most useful tend to be bibliographies or lists of vendor contacts.
    Too many seem to be mere self-indulgent filler used by the author to
    pad out the book.  Although it has almost nothing to do with Web
    security as such, I very much enjoyed Appendix A, Garfinkel's
    recounting of the lessons learned in setting up a small ISP (Internet
    Service Provider).  (I suppose that this could be considered valid
    coverage of Web commerce.)  The other appendices are more directly
    related to the topic, including information on the installation of Web
    server certificates, the SSL protocol, the PICS (Platform for Internet
    Content Selection) specification, and references.
    
    In comparison to Stein's "Web Security" (cf. BKWEBSEC.RVW) I find it
    very difficult to choose between the two.  Each is readable, and each
    is aimed pretty much at the same target audience.  There is little to
    choose between them for technical depth: each has useful information
    that the other does not.  Both are excellent: what the heck, buy two,
    they're small.
    
    copyright Robert M. Slade, 1998   BKWBSCCM.RVW   980411
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:39 PDT